Hi Folks,

               Thanks tons to Mike Auty, Andrew Case, Joe Sylve, Andrew DiMino, Michael Cohen, and Jamie Levy, I’m now up and running with Volatility for Linux. I did want to mention a couple of things that I ran into problems with. It’s possible we might want for some related items to be more prominent in the documentation.

 

1.      While the –h option output does include the line, “--info                Print information about all registered objects”, it still wasn’t immediately clear to me that this option would list available profiles. In fact, I somehow managed to miss the existence of --info entirely. It might be useful to actually include the list of available profiles in the –h output. Alternatively, maybe we could move –info in the –h output closer to the top, & specifically mention that it will list available profiles?

2.      It wasn’t clear to me initially that to define a profile, you drop an appropriately named .zip file with appropriate contents into volatility/plugins. It’s still not entirely clear, as from some of my reading it looks like you’re supposed to put the profile file into volatility/plugins/overlays/<ostype> instead. I’m guessing both probably work, though I haven’t tested. I suspect one is legacy or something. You might want to append a notation to the –profile line in the –h output to, “see the tools/<ostype>/README file for details on profile creation”, and then spell this out a little more clearly there, including how the profile name is constructed, based on the name of the zip file.

3.      I ran into a problem using the specific zip command listed in the tools/linux/README file, “zip Distro.zip module.dwarf /boot/System.map-2.6.32-8-generic”. This creates a zip file with a boot subfolder containing the System.map file, which didn’t work in my testing. I had to copy the System.map file to the current folder and then zip up the two files.

4.      The linux wiki document is out of date, but I imagine you already knew that. It should refer to the linux-trunk branch instead of the scudette branch. It also doesn’t say where to put the .zip file to create a profile, how the name of the new profile is created, based on the .zip file name, or how to get a list of available profiles.

 

                              Thanks again

                                             John